Kaspersky Gives Its Side of the Story on How the NSA Lost Some Its Hacking Tools

Russian cyber-security vendor Kaspersky Lab published today a report detailing its side of events on the whole Kaspersky-stole-US-government-files-for-Russia saga.

While US authorities had quietly investigated Kaspersky on suspected ties to the Russian government, nothing was known for the first few months of the year.

Only this fall, after reports from the Wall Street Journal and the New York Times, is when the public found out that the US government suspected that Russian FSB agents or other Kaspersky insiders had used the Kaspersky antivirus as an interactive search engine to scan computers all over the world.

The two media outlets alluded that this is how classified US government files taken home —without permission— by an NSA employee ended up in the hands of the Russian government in a data leak unknown until that point.

Kaspersky says data collection was automatic, as designed

Kaspersky denied any wrongdoing all summer and especially after the recent media coverage, promising to start an investigation into what happened.

The preliminary findings of that investigation were published today. In the report, Kaspersky admits that it did indeed collect secret NSA documents, but it was never intentional, as US media alluded.

The company said the collection process was automatic, as the documents were hacking tools detected under signatures tied to malware the company believed it belonged to a cyber-espionage group it was investigating at the time.

This incident took place in 2014 and Kaspersky published a report on this group in 2015. The group's name and the report are now infamous — the Equation Group — and most security experts generally acknowledge that the group is NSA's cyber-operations division.

CEO ordered the collected files to be destroyed

While Kaspersky does not go as far as to make assumptions as to whom the computer where the Equation Group malware detections came from, the company says that this user used its antivirus designed for home users and had enabled "automatic sample submission of new and unknown malware."

Kaspersky says the files collected from that user "appeared to be new, unknown and debug variants of malware used by the Equation group."

Because it was new malware, an analyst took a look at the collected data to verify and classify the new detection. The company says this employee reported the files to the company's CEO, Eugene Kaspersky, after realizing that he might have discovered the source code of NSA tools.

In a surprising turn of events, Eugene Kaspersky ordered the files to be deleted. The company did not provide a reason why its CEO took this decision but specified it did not share the files with any third-party.

Alleged NSA leaker was also infected with another backdoor

The findings of this report come to confirm unofficial theories that circulated in the infosec community regarding what really happened.

Most experts suspected that the Kaspersky antivirus did nothing more than do its job after a careless NSA employee smuggled hacking tools out of NSA's network and took them home, for unknown reasons.

Furthermore, Kaspersky complicated things today, even more, when they said they also took a look at telemetry data from the computer of the supposed NSA employee.

The Russian antivirus maker said the same user who apparently was harboring NSA hacking tools on his home PC was also infected with another malware shortly after.

Kaspersky claims the user downloaded a keygen in order to install a pirated version of Microsoft Office. As it's usually the case with keygens for pirated software, this file was laced with malware, in this case, the Win32.Mokes.hvl backdoor trojan.

What Kaspersky is trying to say by mentioning this detail in its report is that some random cybercrook also had access to the same computer that hosted NSA hacking tools.

Kaspersky detected NSA honeypots, behaved normally

The Mokes infection didn't get unnoticed, and after realizing something was wrong, the same user scanned his computer multiple times with the Kaspersky antivirus. The AV reported back to the user not only the Mokes infection but also detections for the Equation Group malware.

At one point or another, the NSA employee appears to have reported the incident to its supervisors, or the NSA realized it had another leak, because after Kaspersky published the Equation Group report in February 2015, the company detected computers configured as "honeypots," harboring the same malware and in the same IP range as the initial detection.

This part of the report corroborates the WSJ report that said the US government had set up test computers in controlled experiments. Kaspersky said its product behaved as designed and only collected malicious executables, and not top secret or classified data as anonymous sources told the WSJ and NYT.

It's now the US government's turn to come clean

All in all, the Kaspersky report provides all the technical details that lacked in the original reporting, painting a more believable storyline for the events that led to US officials banning Kaspersky on US government computers.

What's now left is for the US government to do the same and release a similar technical report. All the reporting we have on the Kaspersky allegations until now are only from anonymous sources going to US media, with no official announcement from US authorities.

Of course, Kaspersky is not necessarily innocent because it offered more details, as other details also need to be clarified, like a sales pitch it made to the US government in which it claimed it can use its AV product as a tool to help with the capture terrorist suspects.

Also this week, Kaspersky announced a new transparency initiative that would allow approved auditors to review its products' source code for any hidden backdoors or suspicious behavior.

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.

Comments

This is a long read but informative;https://freedomhouse.org/report/freedom-net/2016/russia
Basically I think it states it does not matter what Kaspersky does, the Russian govt has control over their network and can decrypt anything they want at any time. If Kaspersky "accidentally" got this data, the Russian govt also had a chance to look at it too. If Kaspersky wants trust, it'll have to move off of Russian soil to do so.
Placing the blame to someone else is a useless ploy to detract the facts

So, a NSA worker sneaks classified malware into his home PC, scans it with a commercial antivirus while leaving the feature that uploads suspected malware to the antivirus company’s servers enabled and it’s all Kaspersky’s fault?

"If Kaspersky wants trust, it'll have to move off of Russian soil to do so."

Same can be said for US based software companies, If they want trust they have to move off US soil.

@NickAu
Kaspersky isn't quite that guilty, but rather the Russian govt that has legal access to Kaspersky's servers. Nobody realized this until Kaspersky got hacked by some Israeli crackers. Did or was Kaspersky aware that the Russian govt had/has access to their servers? can not say.
And yes...I agree that the NSA isn't any better when it comes to privacy. but will the NSA arrest you, beat you up or make you disappear if you bad mouth the U.S. govt?

Agreed: It's a little like Marshal Whitehat leaving his six-shooter on the front porch of the jail. Whoever swipes it to murder someone is 100% guilty of the crime; but the Marshal has to be held to account, too.

As a guess, I'd say the shear size of the agency, which is a consequence of the scale of, and the dynamic state of technologies to conceal messages in, worldwide communications that has pushed them to skimp on vetting (their own employees - and especially outside contractors).

It might have helped to put an air-gap between those (relatively few), that develop sophisticated penetration and exploitation tools, and those (the many), required to do most of the donkey-work. The few would be extremely well vetted; the rest of the individuals would each have access only to a small subset of sensitive material (putting a limit on damage from a leak).

Of course he has no proof , dem's are the ones that should never be trusted , they are behind all the Russia nonsense, specifically Clinton, Podesta and Robbie Mook which are the 3 responsible for pushing the Russia lie.

Sometimes it seems a key factor gets overlooked, because it's so obvious: Internet/cloud/Software as a Service/telemetry, and that we are all breathing the same Internet air.

For all the advantages this new paradigm brings, also come intractable complications. When a person owned a PC, it sat in their house, and any software they loaded they had to physically bring into their house to do it. Once installed, if they wanted an update, they got another piece of media to bring into their house, and load on their PC.

Times have changed; yet our way of talking about the subject hasn't. We still talk about his or her computer (as if it were sovereign territory), loading a "piece" of software (as if it were a hermetically sealed black box object), "sending Jane or John Doe" an email or text (rather than your device tossing message packets into the Internet mix-master, trusting that it (rather than one of how many copies), will reach the person's device), trusting that the "From" name in an email/text is the person we associate with the name, "visiting a website" (as if always knew where the WWW bus was taking us), and on and on.

Yes, even we visitors of Bleeping Computer still use these outdated expressions; and that's Ok - as long as we keep in mind that they don't mean what they used to; and our assessments and arguments have to be based on the new realities. Maybe it's a pain to have to be so careful in choosing our words; but that's where we are.

That article is based on a Kaspersky update released 3 months after my initial story. Didn't bring any new details to the original reporting except that it listed the actual malware the guy was infected with, all of which was mundane.